Latest revision as of 16:36, 24 May 2008

AUDIT2WHY(8) NSA AUDIT2WHY(8)
NAME
audit2why - Translates SELinux audit messages into a description of why
the access was denied
SYNOPSIS
audit2why [options]
OPTIONS
--help Print a short usage message
-p <policyfile>
Specify an alternate policy file.
DESCRIPTION
This utility processes SELinux audit messages from standard input and
and reports which component of the policy caused each permission denial
based on the specified policy file if the -p option was used or the
active policy otherwise. There are three possible causes: 1) a missing
or disabled TE allow rule, 2) a constraint violation, or 3) a missing
role allow rule. In the first case, the TE allow rule may exist in
the policy but may be disabled due to boolean settings. See
booleans(8). If the allow rule is not present at all, it can be gener-
ated via audit2allow(1). In the second case, a constraint is being
violated; see policy/constraints or policy/mls to identify the particu-
lar constraint. Typically, this can be resolved by adding a type
attribute to the domain. In the third case, a role transition was
attempted but no allow rule existed for the role pair. This can be
resolved by adding an allow rule for the role pair to the policy.
EXAMPLE
$ /usr/sbin/audit2why < /var/log/audit/audit.log
type=KERNEL msg=audit(1115316408.926:336418): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the domain to satisfy the constraint.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>,
audit2why utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
Security Enhanced Linux May 2005 AUDIT2WHY(8)